[jira] [Commented] (YARN-4737) Use CSRF Filter in YARN

Thu, 03 Mar 2016 01:20:47 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15177543#comment-15177543
 ] 

Varun Vasudev commented on YARN-4737:
-------------------------------------

Thanks for the updated patch Jon. Some more fixes required -

1) In WebApps.java -
{code}
+        Map<String, String> params = getCsrfConfigParameters();
+        if (hasCSRFEnabled(params)) {
+          LOG.info("CSRF Protection has been enabled for the {} application. "
+                  + "Please ensure that there is an authentication mechanism "
+                  + "enabled (kerberos, custom, etc).",
+              name);
+          String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
+          HttpServer2.defineFilter(server.getWebAppContext(), 
restCsrfClassName,
+              restCsrfClassName, params,
+              new String[] {"/*"});
+        }
{code}
should be before
{code}
         HttpServer2.defineFilter(server.getWebAppContext(), "guice",
           GuiceFilter.class.getName(), null, new String[] { "/*" });
{code}

The guice filter redirects the request to the appropriate handler and the 
requests get executed before going through the CSRF filter.

2) The JHS configs in mapred-default.xml start with the prefix - 
mapreduce.jobhistory.webapp but the prefix used in code is mapreduce.jobhistory 
(no webapp) - I think you need to create a mapreduce.jobhistory.webapp prefix 
in the code.

3) In yarn-default.xml, all the timeline service configs have an extra "." in 
them after "yarn.timeline-service". e.g. 
yarn.timeline-service..webapp.rest-csrf.methods-to-ignore

The failing tests and ASF warnings are unrelated to the patch.

> Use CSRF Filter in YARN
> -----------------------
>
>                 Key: YARN-4737
>                 URL: https://issues.apache.org/jira/browse/YARN-4737
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager, resourcemanager, webapp
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>         Attachments: YARN-4737.001.patch, YARN-4737.002.patch
>
>
> A CSRF filter was added to hadoop common 
> (https://issues.apache.org/jira/browse/HADOOP-12691).  The aim of this JIRA 
> is to come up with a mechanism to integrate this filter into the webapps for 
> which it is applicable (web apps that may establish an authenticated 
> identity).  That includes the RM, NM, and mapreduce jobhistory web app.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to